IETF Logo Mail Archive

Re: [hybi] WebSockets : Question about masqued frames !

Willy Tarreau <w@1wt.eu> Sat, 11 June 2011 06:15 UTC

Return-Path: <w@1wt.eu>
X-Original-To: hybi@ietfa.amsl.com
Delivered-To: hybi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C9D611E8071 for <hybi@ietfa.amsl.com>; Fri, 10 Jun 2011 23:15:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.171
X-Spam-Level:
X-Spam-Status: No, score=-6.171 tagged_above=-999 required=5 tests=[AWL=-4.428, BAYES_00=-2.599, HELO_IS_SMALL6=0.556, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qZd1n7WkzXSm for <hybi@ietfa.amsl.com>; Fri, 10 Jun 2011 23:15:21 -0700 (PDT)
Received: from 1wt.eu (1wt.eu [62.212.114.60]) by ietfa.amsl.com (Postfix) with ESMTP id 9C1D19E8008 for <hybi@ietf.org>; Fri, 10 Jun 2011 23:15:20 -0700 (PDT)
Received: (from willy@localhost) by mail.home.local (8.14.4/8.14.4/Submit) id p5B6FEmS003318; Sat, 11 Jun 2011 08:15:14 +0200
Date: Sat, 11 Jun 2011 08:15:14 +0200
From: Willy Tarreau <w@1wt.eu>
To: Iñaki Baz Castillo <ibc@aliax.net>
Message-ID: <20110611061514.GA2252@1wt.eu>
References: <002101cc26b7$c8901c20$59b05460$@fr> <4DF0F6C5.5050807@weelya.com> <BANLkTimfxbcwPmYMcqW=8d22Z8sEpTn6rg@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <BANLkTimfxbcwPmYMcqW=8d22Z8sEpTn6rg@mail.gmail.com>
User-Agent: Mutt/1.4.2.3i
Cc: hybi@ietf.org
Subject: Re: [hybi] WebSockets : Question about masqued frames !
X-BeenThere: hybi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Server-Initiated HTTP <hybi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hybi>, <mailto:hybi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hybi>
List-Post: <mailto:hybi@ietf.org>
List-Help: <mailto:hybi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hybi>, <mailto:hybi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Jun 2011 06:15:21 -0000

On Sat, Jun 11, 2011 at 08:10:28AM +0200, Iñaki Baz Castillo wrote:
> 2011/6/9 Anthony Catel <a.catel@weelya.com>:
> > It's mainly because of proxy traversal (please read previous discussions
> > about cache poisoning & co)
> 
> IMHO this doesn't answer the original question:
> 
> > So why not simply imagine a mask whose evolutionary of the Salt was fixed at the start (why not from the handshake key) and whose encryption evolve based on the contents of the frames?
> 
> The author of the thread is not suggesting removing the client->server
> masking, but just make it predictable (for example from the WS
> handshake data) rather than having each frame its own masking key.
> Would be any (security) issue in the suggested case? I don't think so,
> but just wondering.

This was discussed in great detail in the past (as everything around masking).
The issue if the mask doesn't change is that the server knows it, so if it is
running malicious code (and so does the client), then it can tell the mask to
the client which will be able to emit predicted contents over the wire. So the
mask must change between two exchanges so that the client cannot guess it.

Willy

v2.23.0 | Report a Bug | By Email